SFS TeamTren de Aragua’s ATM “Jackpotting” Network: A Defensive Response to a Growing Transnational Threat
WASHINGTON D.C. – The United States is confronting a transnational criminal ecosystem in which cyber-enabled financial crime is increasingly used to generate liquid revenue for networks that thrive on violence, corruption, and coercive influence across borders. Tren de Aragua (TdA), a Venezuelan-origin organization now designated by the U.S. government as a Foreign Terrorist Organization (FTO), fits this pattern: adaptive, mobile, and capable of blending physical and digital methods to exploit vulnerabilities in institutions and jurisdictions.
This evolution matters because “jackpotting” is not merely a technical intrusion. It is a repeatable, portable, scalable cash-extraction pipeline, designed to move quickly across state lines, turning access to a machine into money that can be moved, laundered, and reallocated to sustain wider criminal operations. The map published by U.S. prosecutors illustrates the scope of the alleged activity: $40.73 million in reported losses and 1,529 total reports as of August 2025.
As alleged, these defendants employed methodical surveillance and burglary techniques to install malware into ATMs, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization.
Within this context, the indictments announced by the U.S. Attorney’s Office for the District of Nebraska are not a routine cybercrime headline; they represent a legitimate defensive action aimed at disrupting an alleged terror-finance-adjacent cash pipeline that converts technical compromise into immediate, movable cash. On December 18, 2025, federal prosecutors announced two indictments charging 54 individuals in a nationwide conspiracy to deploy malware and steal millions from ATMs, commonly referred to as “ATM jackpotting”.
An indictment returned December 9, 2025, charges 22 defendants, including conspiracy to provide material support to terrorists, as well as conspiracy to commit bank fraud, bank burglary/computer fraud, and money laundering. Prosecutors allege TdA used jackpotting to steal millions and then transferred proceeds among members and associates to conceal the cash’s criminal origin. A related indictment returned on October 21, 2025, charges 32 individuals with additional counts of fraud, burglary, and computer damage.
The allegations also highlight a consistent TdA tradecraft: recruiting teams to travel nationally, conduct reconnaissance, open ATM doors/hoods, and deploy a Ploutus malware variant, by direct hard-drive installation, hard-drive swaps, or external devices, while using anti-forensic features designed to delete traces and mislead victim institutions.
In parallel, the U.S. Treasury has moved against TdA’s support infrastructure. On December 3, 2025, OFAC sanctioned key TdA affiliates, including Venezuelan entertainer Jimena Romina Araya Navarro (“Rosita”), describing her as part of a network that provided material support and was linked to money laundering for TdA leadership. The Nebraska press release identifies Araya Navarro as one of the individuals named in the indictment and references her OFAC sanction.
SFS MONITORING: NEVADA AND NORTH DAKOTA AS EARLY INDICATORS
For years, the Center for a Secure Free Society has treated jackpotting-type incidents as observable “probes” of TdA’s presence and modus operandi: practical markers of mobility, coordination, hybrid cyber/physical capability, and revenue generation.
Nevada provided an early signal. SFS’s Tren de Aragua Activity Monitor documents that TdA-linked presence in Nevada became evident in August 2019, when Jesús Ernesto Reyes Garcia was indicted in Las Vegas for orchestrating an ATM jackpotting scheme that allegedly withdrew about $125,000.
North Dakota then demonstrated spillover into lower-incidence jurisdictions. SFS’s Activity Monitor documents a West Fargo ATM theft linked by local investigators to TdA, identifying Henry Theis as the accused and describing the case as a marker of potential expansion into the state.
THE STRATEGIC POINT
Taken together, Nevada (2019), North Dakota (2024), and now a nationwide Nebraska-led prosecution (2025), these cases show the same operational logic: TdA-linked jackpotting functions as a tactical revenue engine and a recognizable signature of presence that can surface before more overt violence becomes visible in a community.
For SFS, the Nebraska indictments should be understood as accurate and appropriate: they defend the integrity of the U.S. financial system while targeting an alleged revenue stream that prosecutors say was used to steal, launder, and move funds through TdA-linked networks, validating why sustained monitoring of jackpotting activity remains a critical method for mapping TdA behavior rooted in Venezuela and expressed across U.S. jurisdictions.